diff options
Diffstat (limited to 'src/runtime/extern.go')
| -rw-r--r-- | src/runtime/extern.go | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/src/runtime/extern.go b/src/runtime/extern.go index 15c519d233..f85b9cb114 100644 --- a/src/runtime/extern.go +++ b/src/runtime/extern.go @@ -200,6 +200,25 @@ the set of Go environment variables. They influence the building of Go programs GOARCH, GOOS, and GOROOT are recorded at compile time and made available by constants or functions in this package, but they do not influence the execution of the run-time system. + +# Security + +On Unix platforms, Go's runtime system behaves slightly differently when a +binary is setuid/setgid or executed with setuid/setgid-like properties, in order +to prevent dangerous behaviors. On Linux this is determined by checking for the +AT_SECURE flag in the auxiliary vector, on the BSDs and Solaris/Illumos it is +determined by checking the issetugid syscall, and on AIX it is determined by +checking if the uid/gid match the effective uid/gid. + +When the runtime determines the binary is setuid/setgid-like, it does three main +things: + - The standard input/output file descriptors (0, 1, 2) are checked to be open. + If any of them are closed, they are opened pointing at /dev/null. + - The value of the GOTRACEBACK environment variable is set to 'none'. + - When a signal is received that terminates the program, or the program + encounters an unrecoverable panic that would otherwise override the value + of GOTRACEBACK, the goroutine stack, registers, and other memory related + information are omitted. */ package runtime |